Skip to content

Fix regression that permitted script tags to be injected
Compare
Choose a tag to compare
@buro9 buro9 released this 27 Mar 10:35
v1.0.5
f0b9183
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

#111 revealed that we had experienced a regression of an earlier fix and that <script> tags could be injected by relying on the use of the uppercase Cyrillic i, as when Go lowercases this it would map the UTF-8 rune to an ASCII rune. The fix prevents this by retaining the ASCII escaping.

Assets 2